From f5d6c7c114f3c88ba1d3b04d89f51bf060d98861 Mon Sep 17 00:00:00 2001 From: Otavio Salvador Date: Mon, 19 Jun 2023 18:09:54 -0300 Subject: [PATCH] Initial code Signed-off-by: Otavio Salvador --- .github/dependabot.yaml | 9 + .github/workflows/ci.yaml | 44 ++++ .github/workflows/update-flake.yaml | 23 ++ .gitignore | 1 + flake.lock | 199 ++++++++++++++++++ flake.nix | 80 +++++++ hosts/centrium/default.nix | 22 ++ hosts/centrium/partitioning.nix | 47 +++++ hosts/features/required/auto-upgrade.nix | 14 ++ hosts/features/required/console.nix | 8 + hosts/features/required/default.nix | 29 +++ .../required/disable-desktop-features.nix | 15 ++ .../features/required/disable-global-dhcp.nix | 3 + hosts/features/required/disk-scheduler.nix | 12 ++ hosts/features/required/docker.nix | 5 + hosts/features/required/firmware.nix | 3 + hosts/features/required/home-manager.nix | 10 + .../features/required/latest-linux-kernel.nix | 7 + hosts/features/required/locale.nix | 13 ++ hosts/features/required/network.nix | 14 ++ hosts/features/required/nix.nix | 46 ++++ hosts/features/required/nixpkgs.nix | 10 + hosts/features/required/no-mitigations.nix | 7 + hosts/features/required/openssh.nix | 24 +++ hosts/features/required/sudo.nix | 3 + hosts/features/required/upgrade-diff.nix | 9 + hosts/features/required/vscode-server.nix | 9 + hosts/features/required/watchdog.nix | 30 +++ hosts/hyper/default.nix | 22 ++ hosts/hyper/partitioning.nix | 47 +++++ hosts/installer/default.nix | 51 +++++ hosts/pikachu/default.nix | 22 ++ hosts/pikachu/partitioning.nix | 47 +++++ lib/default.nix | 47 +++++ overlays/default.nix | 17 ++ pkgs/default.nix | 2 + set-nixos-configuration | 6 + users/aquino/default.nix | 57 +++++ users/otavio/default.nix | 63 ++++++ users/rodrigo/default.nix | 65 ++++++ 40 files changed, 1142 insertions(+) create mode 100644 .github/dependabot.yaml create mode 100644 .github/workflows/ci.yaml create mode 100644 .github/workflows/update-flake.yaml create mode 100644 .gitignore create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/centrium/default.nix create mode 100644 hosts/centrium/partitioning.nix create mode 100644 hosts/features/required/auto-upgrade.nix create mode 100644 hosts/features/required/console.nix create mode 100644 hosts/features/required/default.nix create mode 100644 hosts/features/required/disable-desktop-features.nix create mode 100644 hosts/features/required/disable-global-dhcp.nix create mode 100644 hosts/features/required/disk-scheduler.nix create mode 100644 hosts/features/required/docker.nix create mode 100644 hosts/features/required/firmware.nix create mode 100644 hosts/features/required/home-manager.nix create mode 100644 hosts/features/required/latest-linux-kernel.nix create mode 100644 hosts/features/required/locale.nix create mode 100644 hosts/features/required/network.nix create mode 100644 hosts/features/required/nix.nix create mode 100644 hosts/features/required/nixpkgs.nix create mode 100644 hosts/features/required/no-mitigations.nix create mode 100644 hosts/features/required/openssh.nix create mode 100644 hosts/features/required/sudo.nix create mode 100644 hosts/features/required/upgrade-diff.nix create mode 100644 hosts/features/required/vscode-server.nix create mode 100644 hosts/features/required/watchdog.nix create mode 100644 hosts/hyper/default.nix create mode 100644 hosts/hyper/partitioning.nix create mode 100644 hosts/installer/default.nix create mode 100644 hosts/pikachu/default.nix create mode 100644 hosts/pikachu/partitioning.nix create mode 100644 lib/default.nix create mode 100644 overlays/default.nix create mode 100644 pkgs/default.nix create mode 100755 set-nixos-configuration create mode 100644 users/aquino/default.nix create mode 100644 users/otavio/default.nix create mode 100644 users/rodrigo/default.nix diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..7fc7a9e --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,9 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + target-branch: "master" + schedule: + interval: "weekly" + commit-message: + prefix: "ci:" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..af24963 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,44 @@ +name: "CI" + +on: + pull_request: + paths: + - '**.nix' + - 'flake.lock' + push: + branches: [ master ] + paths: + - '**.nix' + - 'flake.lock' + +jobs: + check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Install Nix + uses: nixbuild/nix-quick-install-action@v22 + with: + nix_conf: experimental-features = nix-command flakes repl-flake + - uses: cachix/cachix-action@v12 + with: + name: otavio-nix-config + authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + - run: nix flake check + + nixos: + runs-on: ubuntu-latest + strategy: + matrix: + nixosConfiguration: + - centrium + - hyper + - pikachu + steps: + - run: sudo apt-get clean + - uses: actions/checkout@v3 + - name: Install Nix + uses: nixbuild/nix-quick-install-action@v22 + with: + nix_conf: experimental-features = nix-command flakes repl-flake + - run: nix -Lv build ".#nixosConfigurations.${{ matrix.nixosConfiguration }}.config.system.build.toplevel" diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-flake.yaml new file mode 100644 index 0000000..3015cc8 --- /dev/null +++ b/.github/workflows/update-flake.yaml @@ -0,0 +1,23 @@ +name: update-flake-lock +on: + workflow_dispatch: # allows manual triggering + schedule: + - cron: '0 0 * * 0' # runs weekly on Sunday at 00:00 + +jobs: + lockfile: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + - name: Install Nix + uses: nixbuild/nix-quick-install-action@v22 + with: + nix_conf: experimental-features = nix-command flakes repl-flake + - name: Update flake.lock + id: update + uses: DeterminateSystems/update-flake-lock@v19 + with: + token: ${{ secrets.GH_TOKEN_FOR_UPDATES }} + - name: Print PR number + run: echo Pull request number is ${{ steps.update.outputs.pull-request-number }}. diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b25c15b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*~ diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..733556f --- /dev/null +++ b/flake.lock @@ -0,0 +1,199 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1687028856, + "narHash": "sha256-vKV3I31tmXwaWHiUOgfDVd27cEHqaPBr1lt9+NKdIp8=", + "owner": "nix-community", + "repo": "disko", + "rev": "64c9c78c15fd4c899d857bf09dba88bda771b43a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1685518550, + "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1687163790, + "narHash": "sha256-CmG/ZdswJrWM0CMgJiVyWfO6LqaI4SKEAx9IrnYDrpI=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "ac53777f52929bc82efcd2830bfc5aa60bcb4337", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1686838567, + "narHash": "sha256-aqKCUD126dRlVSKV6vWuDCitfjFrZlkwNuvj5LtjRRU=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89", + "type": "github" + }, + "original": { + "id": "nixos-hardware", + "type": "indirect" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1686582075, + "narHash": "sha256-vtflsfKkHtF8IduxDNtbme4cojiqvlvjp5QNYhvoHXc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7e63eed145566cca98158613f3700515b4009ce3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1687017257, + "narHash": "sha256-jbk0Szj1DPe9KwySeMr3KzYqW1JaUKJ6lYwSLMvc1n0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "aaef163eac75c2ac7f882c1fae4e0c08aa18d186", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1682134069, + "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fd901ef4bf93499374c5af385b2943f5801c0833", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "root": { + "inputs": { + "disko": "disko", + "flake-utils": "flake-utils", + "home-manager": "home-manager", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs_2", + "vscode-server": "vscode-server" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "vscode-server": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1684517665, + "narHash": "sha256-SaAr66uCQ8CF75jIr23FZjk1+9Kfwm5sQnwV25206Gs=", + "owner": "nix-community", + "repo": "nixos-vscode-server", + "rev": "1e1358493df6529d4c7bc4cc3066f76fd16d4ae6", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-vscode-server", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..c8bf2cc --- /dev/null +++ b/flake.nix @@ -0,0 +1,80 @@ +{ + description = "Otavio Salvador's NixOS/Home Manager config"; + + inputs = { + nixpkgs.url = "nixpkgs/nixos-23.05"; + flake-utils.url = "github:numtide/flake-utils"; + home-manager = { + url = "github:nix-community/home-manager/release-23.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + vscode-server.url = "github:nix-community/nixos-vscode-server"; + nixos-hardware.url = "nixos-hardware"; + disko.url = "github:nix-community/disko"; + }; + + outputs = { self, ... }@inputs: + let + inherit (self) outputs; + lib = import ./lib { inherit inputs outputs; }; + in + { + overlays = import ./overlays { inherit inputs outputs; }; + + nixosConfigurations = { + centrium = lib.mkSystem { + hostname = "centrium"; + system = "x86_64-linux"; + }; + + hyper = lib.mkSystem { + hostname = "hyper"; + system = "x86_64-linux"; + }; + + pikachu = lib.mkSystem { + hostname = "pikachu"; + system = "x86_64-linux"; + }; + }; + + packages = builtins.foldl' + (packages: hostname: + let + inherit (self.nixosConfigurations.${hostname}.config.nixpkgs) system; + targetConfiguration = self.nixosConfigurations.${hostname}; + in + packages // { + ${system} = (packages.${system} or { }) // { + "${hostname}-install-iso" = lib.mkInstallerForSystem { inherit hostname targetConfiguration system; }; + }; + }) + { } + (builtins.attrNames self.nixosConfigurations); + } // inputs.flake-utils.lib.eachSystem [ "x86_64-linux" ] (system: + let + inherit (self) outputs; + pkgs = import inputs.nixpkgs { inherit system outputs; }; + in + { + formatter = pkgs.writeShellApplication { + name = "normalise_nix"; + runtimeInputs = with pkgs; [ nixpkgs-fmt statix ]; + text = '' + set -o xtrace + nixpkgs-fmt "$@" + statix fix "$@" + ''; + }; + + checks = { + lint = pkgs.runCommand "lint-code" { nativeBuildInputs = with pkgs; [ nixpkgs-fmt deadnix statix ]; } '' + deadnix --fail ${./.} + #statix check ${./.} # https://github.com/nerdypepper/statix/issues/75 + nixpkgs-fmt --check ${./.} + touch $out + ''; + }; + }); +} diff --git a/hosts/centrium/default.nix b/hosts/centrium/default.nix new file mode 100644 index 0000000..bd2557b --- /dev/null +++ b/hosts/centrium/default.nix @@ -0,0 +1,22 @@ +{ inputs, ... }: + +{ + imports = with inputs.nixos-hardware.nixosModules; [ + common-cpu-intel + common-pc-ssd + ] ++ [ + ../features/required + + ./partitioning.nix + ]; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + + initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" ]; + initrd.kernelModules = [ ]; + + kernelModules = [ "kvm-intel" ]; + }; +} diff --git a/hosts/centrium/partitioning.nix b/hosts/centrium/partitioning.nix new file mode 100644 index 0000000..69074f0 --- /dev/null +++ b/hosts/centrium/partitioning.nix @@ -0,0 +1,47 @@ +{ + disko.devices = { + disk = { + main = { + device = "/dev/nvme0"; + type = "disk"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "ESP"; + start = "1MiB"; + end = "512MiB"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + start = "512MiB"; + end = "-8.8G"; + part-type = "primary"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + } + { + name = "swap"; + start = "-8.8G"; + end = "100%"; + part-type = "primary"; + content = { + type = "swap"; + }; + } + ]; + }; + }; + }; + }; +} diff --git a/hosts/features/required/auto-upgrade.nix b/hosts/features/required/auto-upgrade.nix new file mode 100644 index 0000000..5b0055c --- /dev/null +++ b/hosts/features/required/auto-upgrade.nix @@ -0,0 +1,14 @@ +{ inputs, ... }: +let + # Only enable auto upgrade if current config came from a clean tree + # This avoids accidental auto-upgrades when working locally. + isClean = inputs.self ? rev; +in +{ + system.autoUpgrade = { + enable = isClean; + dates = "hourly"; + flags = [ "--refresh" ]; + flake = "github:OSSystems/lab-builders-nix-config"; + }; +} diff --git a/hosts/features/required/console.nix b/hosts/features/required/console.nix new file mode 100644 index 0000000..ba28c88 --- /dev/null +++ b/hosts/features/required/console.nix @@ -0,0 +1,8 @@ +{ lib, ... }: + +{ + console = { + font = lib.mkDefault "Lat2-Terminus16"; + keyMap = lib.mkDefault "br-latin1-us"; + }; +} diff --git a/hosts/features/required/default.nix b/hosts/features/required/default.nix new file mode 100644 index 0000000..e0104f4 --- /dev/null +++ b/hosts/features/required/default.nix @@ -0,0 +1,29 @@ +{ + imports = [ + ./auto-upgrade.nix + ./console.nix + ./disable-desktop-features.nix + ./disable-global-dhcp.nix + ./disk-scheduler.nix + ./docker.nix + ./firmware.nix + ./home-manager.nix + ./latest-linux-kernel.nix + ./locale.nix + ./network.nix + ./nix.nix + ./nixpkgs.nix + ./no-mitigations.nix + ./openssh.nix + ./sudo.nix + ./upgrade-diff.nix + ./vscode-server.nix + ./watchdog.nix + + ../../../users/aquino + ../../../users/otavio + ../../../users/rodrigo + ]; + + system.stateVersion = "23.05"; +} diff --git a/hosts/features/required/disable-desktop-features.nix b/hosts/features/required/disable-desktop-features.nix new file mode 100644 index 0000000..13f05f4 --- /dev/null +++ b/hosts/features/required/disable-desktop-features.nix @@ -0,0 +1,15 @@ +{ lib, ... }: + +{ + # Notice this also disables --help for some commands such es nixos-rebuild + documentation.enable = lib.mkDefault false; + documentation.info.enable = lib.mkDefault false; + documentation.man.enable = lib.mkDefault false; + documentation.nixos.enable = lib.mkDefault false; + + # No need for fonts on a server + fonts.fontconfig.enable = lib.mkDefault false; + + # No need for sound on a server + sound.enable = false; +} diff --git a/hosts/features/required/disable-global-dhcp.nix b/hosts/features/required/disable-global-dhcp.nix new file mode 100644 index 0000000..8e2a560 --- /dev/null +++ b/hosts/features/required/disable-global-dhcp.nix @@ -0,0 +1,3 @@ +{ + networking.useDHCP = false; +} diff --git a/hosts/features/required/disk-scheduler.nix b/hosts/features/required/disk-scheduler.nix new file mode 100644 index 0000000..5b526d8 --- /dev/null +++ b/hosts/features/required/disk-scheduler.nix @@ -0,0 +1,12 @@ +_: + +{ + services.udev.extraRules = '' + # Set scheduler for NVMe + ACTION=="add|change", KERNEL=="nvme[0-9]*", ATTR{queue/scheduler}="none" + # Set scheduler for SSD and eMMC + ACTION=="add|change", KERNEL=="sd[a-z]|mmcblk[0-9]*", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="mq-deadline" + # Set scheduler for rotating disks + ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="bfq" + ''; +} diff --git a/hosts/features/required/docker.nix b/hosts/features/required/docker.nix new file mode 100644 index 0000000..a0f86ac --- /dev/null +++ b/hosts/features/required/docker.nix @@ -0,0 +1,5 @@ +{ + virtualisation.docker = { + enable = true; + }; +} diff --git a/hosts/features/required/firmware.nix b/hosts/features/required/firmware.nix new file mode 100644 index 0000000..c92b7a0 --- /dev/null +++ b/hosts/features/required/firmware.nix @@ -0,0 +1,3 @@ +{ + hardware.enableRedistributableFirmware = true; +} diff --git a/hosts/features/required/home-manager.nix b/hosts/features/required/home-manager.nix new file mode 100644 index 0000000..6592ae5 --- /dev/null +++ b/hosts/features/required/home-manager.nix @@ -0,0 +1,10 @@ +{ inputs, outputs, ... }: { + imports = [ + inputs.home-manager.nixosModules.home-manager + ]; + + home-manager = { + useUserPackages = true; + extraSpecialArgs = { inherit inputs outputs; }; + }; +} diff --git a/hosts/features/required/latest-linux-kernel.nix b/hosts/features/required/latest-linux-kernel.nix new file mode 100644 index 0000000..cff738b --- /dev/null +++ b/hosts/features/required/latest-linux-kernel.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: + +{ + boot = { + kernelPackages = pkgs.linuxPackages_latest; + }; +} diff --git a/hosts/features/required/locale.nix b/hosts/features/required/locale.nix new file mode 100644 index 0000000..15aad08 --- /dev/null +++ b/hosts/features/required/locale.nix @@ -0,0 +1,13 @@ +{ lib, ... }: { + i18n = { + defaultLocale = lib.mkDefault "en_US.UTF-8"; + extraLocaleSettings = { + LC_TIME = lib.mkDefault "pt_BR.UTF-8"; + }; + supportedLocales = lib.mkDefault [ + "en_US.UTF-8/UTF-8" + "pt_BR.UTF-8/UTF-8" + ]; + }; + time.timeZone = lib.mkDefault "America/Sao_Paulo"; +} diff --git a/hosts/features/required/network.nix b/hosts/features/required/network.nix new file mode 100644 index 0000000..5501c41 --- /dev/null +++ b/hosts/features/required/network.nix @@ -0,0 +1,14 @@ +_: + +{ + # use TCP BBR has significantly increased throughput and reduced latency for connections + boot.kernel.sysctl = { + "net.core.default_qdisc" = "fq"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; + + # Make sure firewall is enabled + networking.firewall.enable = true; + + networking.domain = "lab.ossystems"; +} diff --git a/hosts/features/required/nix.nix b/hosts/features/required/nix.nix new file mode 100644 index 0000000..fc1bb17 --- /dev/null +++ b/hosts/features/required/nix.nix @@ -0,0 +1,46 @@ +{ inputs, lib, config, ... }: +{ + nix = { + settings = { + # Caches in trusted-substituters can be used by unprivileged users i.e. in + # flakes but are not enabled by default. + trusted-substituters = [ + "https://nix-community.cachix.org" + "https://cache.garnix.io" + "https://otavio-nix-config.cachix.org" + "https://numtide.cachix.org" + ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + "otavio-nix-config.cachix.org-1:4HXl0KPGJ0+tkTUn/0tHRpz1wJst9MxovLjKbsPnqS4=" + "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" + ]; + + trusted-users = [ "root" "@wheel" ]; + auto-optimise-store = lib.mkDefault true; + experimental-features = [ "nix-command" "flakes" "repl-flake" ]; + warn-dirty = false; + }; + + # improve desktop responsiveness when updating the system + daemonCPUSchedPolicy = "idle"; + + optimise.automatic = true; + + gc = { + automatic = true; + dates = "weekly"; + # Delete older generations too + options = "--delete-older-than 7d"; + }; + + # Add each flake input as a registry + # To make nix3 commands consistent with the flake + registry = lib.mapAttrs (_: value: { flake = value; }) inputs; + + # Map registries to channels + # Very useful when using legacy commands + nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry; + }; +} diff --git a/hosts/features/required/nixpkgs.nix b/hosts/features/required/nixpkgs.nix new file mode 100644 index 0000000..e8084d9 --- /dev/null +++ b/hosts/features/required/nixpkgs.nix @@ -0,0 +1,10 @@ +{ outputs, ... }: + +{ + nixpkgs = { + overlays = builtins.attrValues outputs.overlays; + config = { + allowUnfree = true; + }; + }; +} diff --git a/hosts/features/required/no-mitigations.nix b/hosts/features/required/no-mitigations.nix new file mode 100644 index 0000000..acb9c1b --- /dev/null +++ b/hosts/features/required/no-mitigations.nix @@ -0,0 +1,7 @@ +{ + boot = { + kernelParams = [ + "mitigations=off" + ]; + }; +} diff --git a/hosts/features/required/openssh.nix b/hosts/features/required/openssh.nix new file mode 100644 index 0000000..433524b --- /dev/null +++ b/hosts/features/required/openssh.nix @@ -0,0 +1,24 @@ +{ lib, ... }: + +{ + services.openssh = { + enable = true; + settings = { + # Harden + PasswordAuthentication = lib.mkDefault false; + PermitRootLogin = lib.mkDefault "no"; + # Automatically remove stale sockets + StreamLocalBindUnlink = "yes"; + # Allow forwarding ports to everywhere + GatewayPorts = "clientspecified"; + }; + + hostKeys = [{ + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + }]; + }; + + # Passwordless sudo when SSH'ing with keys + security.pam.enableSSHAgentAuth = true; +} diff --git a/hosts/features/required/sudo.nix b/hosts/features/required/sudo.nix new file mode 100644 index 0000000..af947a8 --- /dev/null +++ b/hosts/features/required/sudo.nix @@ -0,0 +1,3 @@ +{ + security.sudo.wheelNeedsPassword = false; +} diff --git a/hosts/features/required/upgrade-diff.nix b/hosts/features/required/upgrade-diff.nix new file mode 100644 index 0000000..9d8abbc --- /dev/null +++ b/hosts/features/required/upgrade-diff.nix @@ -0,0 +1,9 @@ +# MIT Jörg Thalheim - https://github.com/Mic92/dotfiles/blob/c6cad4e57016945c4816c8ec6f0a94daaa0c3203/nixos/modules/upgrade-diff.nix +{ pkgs, ... }: +{ + system.activationScripts.diff = '' + if [[ -e /run/current-system ]]; then + ${pkgs.nix}/bin/nix --extra-experimental-features nix-command store diff-closures /run/current-system "$systemConfig" + fi + ''; +} diff --git a/hosts/features/required/vscode-server.nix b/hosts/features/required/vscode-server.nix new file mode 100644 index 0000000..2ede863 --- /dev/null +++ b/hosts/features/required/vscode-server.nix @@ -0,0 +1,9 @@ +{ inputs, ... }: + +{ + imports = [ + inputs.vscode-server.nixosModules.default + ]; + + services.vscode-server.enable = true; +} diff --git a/hosts/features/required/watchdog.nix b/hosts/features/required/watchdog.nix new file mode 100644 index 0000000..806f923 --- /dev/null +++ b/hosts/features/required/watchdog.nix @@ -0,0 +1,30 @@ +_: + +{ + systemd = { + # Given that our systems are headless, emergency mode is useless. + # We prefer the system to attempt to continue booting so + # that we can hopefully still access it remotely. + enableEmergencyMode = false; + + # For more detail, see: + # https://0pointer.de/blog/projects/watchdog.html + watchdog = { + # systemd will send a signal to the hardware watchdog at half + # the interval defined here, so every 10s. + # If the hardware watchdog does not get a signal for 20s, + # it will forcefully reboot the system. + runtimeTime = "20s"; + # Forcefully reboot if the final stage of the reboot + # hangs without progress for more than 30s. + # For more info, see: + # https://utcc.utoronto.ca/~cks/space/blog/linux/SystemdShutdownWatchdog + rebootTime = "30s"; + }; + + sleep.extraConfig = '' + AllowSuspend=no + AllowHibernation=no + ''; + }; +} diff --git a/hosts/hyper/default.nix b/hosts/hyper/default.nix new file mode 100644 index 0000000..bd2557b --- /dev/null +++ b/hosts/hyper/default.nix @@ -0,0 +1,22 @@ +{ inputs, ... }: + +{ + imports = with inputs.nixos-hardware.nixosModules; [ + common-cpu-intel + common-pc-ssd + ] ++ [ + ../features/required + + ./partitioning.nix + ]; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + + initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" ]; + initrd.kernelModules = [ ]; + + kernelModules = [ "kvm-intel" ]; + }; +} diff --git a/hosts/hyper/partitioning.nix b/hosts/hyper/partitioning.nix new file mode 100644 index 0000000..69074f0 --- /dev/null +++ b/hosts/hyper/partitioning.nix @@ -0,0 +1,47 @@ +{ + disko.devices = { + disk = { + main = { + device = "/dev/nvme0"; + type = "disk"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "ESP"; + start = "1MiB"; + end = "512MiB"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + start = "512MiB"; + end = "-8.8G"; + part-type = "primary"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + } + { + name = "swap"; + start = "-8.8G"; + end = "100%"; + part-type = "primary"; + content = { + type = "swap"; + }; + } + ]; + }; + }; + }; + }; +} diff --git a/hosts/installer/default.nix b/hosts/installer/default.nix new file mode 100644 index 0000000..cd4356a --- /dev/null +++ b/hosts/installer/default.nix @@ -0,0 +1,51 @@ +{ config, pkgs, modulesPath, targetConfiguration, ... }: + +{ + imports = [ + ../features/required + + "${modulesPath}/installer/cd-dvd/installation-cd-base.nix" + ]; + + isoImage = { + compressImage = false; + squashfsCompression = "zstd -Xcompression-level 1"; + }; + + # Disable ZFS support, it may not be compatible + # with the configured kernel version + boot.supportedFilesystems = pkgs.lib.mkForce + [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "ntfs" "cifs" ]; + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + + networking.wireless.enable = false; + networking.networkmanager.enable = true; + + disko.enableConfig = false; + environment.systemPackages = with pkgs; [ + zile + + (writeShellScriptBin "nixos-do-install" '' + set -eux + + ${targetConfiguration.config.system.build.diskoNoDeps} --mode zap_create_mount + + ${config.system.build.nixos-install}/bin/nixos-install \ + --root /mnt \ + --no-root-passwd \ + --no-channel-copy \ + --system ${targetConfiguration.config.system.build.toplevel} + + echo "Syncing filesystems" + + sync + + echo "Shutting off..." + ${systemd}/bin/shutdown now + '') + ]; +} diff --git a/hosts/pikachu/default.nix b/hosts/pikachu/default.nix new file mode 100644 index 0000000..bd2557b --- /dev/null +++ b/hosts/pikachu/default.nix @@ -0,0 +1,22 @@ +{ inputs, ... }: + +{ + imports = with inputs.nixos-hardware.nixosModules; [ + common-cpu-intel + common-pc-ssd + ] ++ [ + ../features/required + + ./partitioning.nix + ]; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + + initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" ]; + initrd.kernelModules = [ ]; + + kernelModules = [ "kvm-intel" ]; + }; +} diff --git a/hosts/pikachu/partitioning.nix b/hosts/pikachu/partitioning.nix new file mode 100644 index 0000000..69074f0 --- /dev/null +++ b/hosts/pikachu/partitioning.nix @@ -0,0 +1,47 @@ +{ + disko.devices = { + disk = { + main = { + device = "/dev/nvme0"; + type = "disk"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "ESP"; + start = "1MiB"; + end = "512MiB"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + start = "512MiB"; + end = "-8.8G"; + part-type = "primary"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + } + { + name = "swap"; + start = "-8.8G"; + end = "100%"; + part-type = "primary"; + content = { + type = "swap"; + }; + } + ]; + }; + }; + }; + }; +} diff --git a/lib/default.nix b/lib/default.nix new file mode 100644 index 0000000..37b3c95 --- /dev/null +++ b/lib/default.nix @@ -0,0 +1,47 @@ +{ inputs, outputs }: + +{ + mkSystem = + { hostname + , system + }: + inputs.nixpkgs.lib.nixosSystem { + inherit system; + + specialArgs = { + inherit inputs outputs; + }; + + modules = [ + inputs.disko.nixosModules.disko + + ../hosts/${hostname} + { + networking.hostName = hostname; + } + ]; + }; + + mkInstallerForSystem = + { hostname + , targetConfiguration + , system + }: + (inputs.nixpkgs.lib.nixosSystem { + inherit system; + + specialArgs = { + inherit inputs outputs targetConfiguration; + }; + + modules = [ + inputs.disko.nixosModules.disko + + ../hosts/installer + + { + networking.hostName = hostname; + } + ]; + }).config.system.build.isoImage; +} diff --git a/overlays/default.nix b/overlays/default.nix new file mode 100644 index 0000000..3a5fc52 --- /dev/null +++ b/overlays/default.nix @@ -0,0 +1,17 @@ +_: + +{ + additions = final: _: import ../pkgs { pkgs = final; }; + + modifications = _: prev: { + fzf = prev.fzf.overrideAttrs (oa: { + # https://github.com/NixOS/nixpkgs/pull/226847 + postInstall = oa.postInstall + '' + substituteInPlace $out/share/fzf/completion.* $out/share/fzf/key-bindings.* \ + --replace "\"fzf\"" "\"$out/bin/fzf\"" \ + --replace "fzf-tmux " "$out/bin/fzf-tmux " \ + --replace "fzf " "$out/bin/fzf " + ''; + }); + }; +} diff --git a/pkgs/default.nix b/pkgs/default.nix new file mode 100644 index 0000000..4fdd76d --- /dev/null +++ b/pkgs/default.nix @@ -0,0 +1,2 @@ +_: +{ } diff --git a/set-nixos-configuration b/set-nixos-configuration new file mode 100755 index 0000000..63e4451 --- /dev/null +++ b/set-nixos-configuration @@ -0,0 +1,6 @@ +#! /usr/bin/env bash + +basedir=$(dirname $(readlink -f $0)) + +rm -f /etc/nixos/* +cp -sv $(readlink -f $basedir/flake.nix) /etc/nixos/ diff --git a/users/aquino/default.nix b/users/aquino/default.nix new file mode 100644 index 0000000..71556b4 --- /dev/null +++ b/users/aquino/default.nix @@ -0,0 +1,57 @@ +{ pkgs, ... }: + +{ + users.users.aquino = { + description = "Vinicius Aquino"; + + isNormalUser = true; + extraGroups = [ "docker" "wheel" ]; + + # Default - used for bootstrapping. + password = "pw"; + }; + + home-manager.users.aquino = { + home = { + packages = with pkgs; [ + tmux + tmuxp + tree + htop + fzf + wget + unzip + nmap + gitRepo + ]; + + stateVersion = "23.05"; + }; + + programs.git = { + enable = true; + + delta = { + enable = true; + options.syntax-theme = "base16-256"; + }; + + extraConfig = { + core.sshCommand = "${pkgs.openssh}/bin/ssh -F ~/.ssh/config"; + }; + }; + + programs.ssh = { + extraConfig = '' + Host *.ossystems.com.br + HostkeyAlgorithms +ssh-rsa + PubkeyAcceptedAlgorithms +ssh-rsa + + Host *.lab.ossystems + ForwardAgent yes + ForwardX11 yes + ForwardX11Trusted yes + ''; + }; + }; +} diff --git a/users/otavio/default.nix b/users/otavio/default.nix new file mode 100644 index 0000000..4009da8 --- /dev/null +++ b/users/otavio/default.nix @@ -0,0 +1,63 @@ +{ pkgs, ... }: + +{ + users.users.otavio = { + description = "Otavio Salvador"; + + isNormalUser = true; + extraGroups = [ "docker" "wheel" ]; + + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAu7exa84N7tURdEdgc7YRkxlouwrK3CbBsQh8cYIFsCwt+fd5cGzVWFMQ1ZIBo36HA9ocBGA7am4uQkBMrb5CSxpr5OGWmrPU0uE6aUtZedhdGj1f9gPJA8QeDfcYxFntQjD1f/XfprLkySD53z/w5npjquy2Y2zWrbOLyHSpU/M= otavio@server.casa.com.br" + ]; + + uid = 1000; + + # Default - used for bootstrapping. + password = "pw"; + }; + + home-manager.users.otavio = { + home = { + packages = with pkgs; [ + tmux + tmuxp + tree + htop + fzf + wget + unzip + nmap + gitRepo + ]; + + stateVersion = "23.05"; + }; + + programs.git = { + enable = true; + + delta = { + enable = true; + options.syntax-theme = "base16-256"; + }; + + extraConfig = { + core.sshCommand = "${pkgs.openssh}/bin/ssh -F ~/.ssh/config"; + }; + }; + + programs.ssh = { + extraConfig = '' + Host *.ossystems.com.br + HostkeyAlgorithms +ssh-rsa + PubkeyAcceptedAlgorithms +ssh-rsa + + Host *.lab.ossystems + ForwardAgent yes + ForwardX11 yes + ForwardX11Trusted yes + ''; + }; + }; +} diff --git a/users/rodrigo/default.nix b/users/rodrigo/default.nix new file mode 100644 index 0000000..80d79d8 --- /dev/null +++ b/users/rodrigo/default.nix @@ -0,0 +1,65 @@ +{ pkgs, ... }: + +{ + users.users.rodrigo = { + description = "Rodrigo Medeiros"; + + isNormalUser = true; + extraGroups = [ "docker" "wheel" ]; + + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCeyGNL/IH6IZ8Qrtm7JpC/+1zyURSSFYeqfqK9ANsEtqOsUWkR9Ir7P+S89nmBIYCj2RHjdMj5VWKvJJJpzR3eXAFPk1eFNWUbS91XO4DPjCGGHZkfAAyU6MzaO6CUVHSjratTmzYl37I8HVKxnqVp+QfY9Z3xWkjmhFXT0ZZNbVMksMYgNxGesyjxs3R75tvibU2F0TAF2IkHKWFWR3+Ioqy7bz7p53oWTk/cVDQssjsH7riVHlKgvg6xVVUAZMQbGtP4moLiG6+Q++m3PoeVbM3fjPWVC1b/nP02+YrHnzZD45ClpdiQJOUmEg2ZEOR0ivdcMYRNu+baUR4gosr7RnlCG5A/iwWgDzU0F39QjhDEKcZY7/IVJsgC4o4BxnVuRSPo/vOZAxXdjVhP2NLNkN0BrfbeLQeAaVcNE2Ca4LRqzJyTvm3JjpC5Ut0sZA6oQbWpfBzprL8ESCIm23OW9Ay9DwakLwH3kiGZVbBJwE92vgkGGAUtRW67Q6KTWQk= rodrigo@centrium" + ]; + + # Default - used for bootstrapping. + password = "pw"; + }; + + home-manager.users.rodrigo = { + home = { + packages = with pkgs; [ + fzf + gitRepo + htop + nmap + tmux + tmuxp + tree + unzip + wget + ]; + + stateVersion = "23.05"; + }; + + programs.neovim = { + enable = true; + }; + + programs.git = { + enable = true; + + delta = { + enable = true; + options.syntax-theme = "base16-256"; + }; + + extraConfig = { + core.sshCommand = "${pkgs.openssh}/bin/ssh -F ~/.ssh/config"; + }; + }; + + programs.ssh = { + extraConfig = '' + Host *.ossystems.com.br + HostkeyAlgorithms +ssh-rsa + PubkeyAcceptedAlgorithms +ssh-rsa + + Host *.lab.ossystems + ForwardAgent yes + ForwardX11 yes + ForwardX11Trusted yes + ''; + }; + }; +}